CVE-2025-13836

HIGH

Python < 3.13.11 - Denial of Service

Title source: rule

Description

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

References (9)

Core 9

Core References

Issue Tracking, Patch issue-tracking

https://github.com/python/cpython/issues/119451

Issue Tracking, Patch patch

https://github.com/python/cpython/pull/119454

Patch patch

https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155

Patch patch

https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5

Vendor Advisory vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/

Patch patch

https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628

Patch patch

https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0

Patch patch

https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c

Scores

CVSS v3 7.5

EPSS 0.0010

EPSS Percentile 26.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (3)

python/python 3.14.0

python/python 3.15.0 alpha1 (2 CPE variants)

python/python < 3.13.11

Published Dec 01, 2025

Tracked Since Feb 18, 2026